Mailinglist Archive: opensuse-factory (914 mails)

< Previous Next >
Re: [opensuse-factory] snapd for openSUSE

Am Freitag, 2. Juni 2017, 10:01:31 CEST schrieb Simon Fels:
IIRC the snaps talk at osc'17 last week ( rynicki/snaps-on-open-suse/41), there
are also some apparmor patches (which have been sent to upstream)
which are needed to have proper security. Is it on your todo list ?

Yeah, there are people working on pushing all necessary patches for
AppArmor to the upstream Linux kernel so we can have proper AppArmor
confinement with a pure upstream kernel soon. However I am not sure
where we are with this at the moment, but last I've heard was that we
just miss a few smaller things after 4.12 is out.

John Johansen [1] would probably disagree with "a few smaller things"

The initial goal was 4.13, but as things look like now, 4.14 is the
realistic target.

I asked the kernel team to backport the patches so that we can have them
in Leap 15. For more details, see and

Note that those patches will also add several new AppArmor rule types
which might need some profile updates. This is why I'd prefer to have
them ready in Leap 15 - adding them in a minor release probably isn't a
good idea.

For now we will keep snapd on openSUSE in the so called forced-devmode
which will deactivate strict confinement via AppArmor but just keeps
the seccomp part enabled.

I hope this comes with a very visible warning about the security
implications ;-)


Christian Boltz

[1] John is one of the upstream AppArmor developers and works on getting
the kernel patches upstreamed
xslt, was? Wir kombinieren das Paradigma von awk mit der
sprachlichen Eleganz von Cobol und den programmiertechnischen
Verrenkungen von funktionalen Sprachen unter sorgfältiger
Umgehung aller möglichen Vorteile. [Kristian Köhntopp]

To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >